Irdai asks insurers to appoint data security officer by April 30

Insurance firms will have to mandatorily appoint a chief information security officer by April 30 whose main job would be ensuring data protection.

This is part of sector regulator Insurance Regulatory and Development Authority of India (Irdai) cyber security guidelines that will be implemented in series, the first phase of which begins on April 30 and complete a full circle by end-March 2018.

"By March 31, all insurance companies will have to appoint a Chief Information Security Officer (CISO) who will be responsible for articulating and enforcing the policies to protect their information assets and formation of Information Security Committee (ISC)," Irdai said in a circular.

The guidelines entail data, applications, operating systems and network layers. Security audit and legal aspects of cyber security are other aspects of the guidelines.

Insurance firms who are in existence for less than three years, however, have been exempted from the requirement of a full-time appointment of a CISO.

However, they can give the responsibility of CISO to any of the functionaries reporting to Board, Irdai said.

Data security is important and needs proper guard against theft and misuse as insurers and related entities share a significant amount of personal and confidential policyholder information, at times even sensitive health-related ones, with third parties.

Besides, insurance repositories, call centres and common service centres also have access to policyholders' data.

"While information sharing is essential for conducting the business operations, it is essential to ensure that adequate systems and procedures are in place for ensuring that there is no leakage of information and information is shared only on the need-to-know basis," Irdai said.